In the security engineering community, we operate under a delicate social contract known as Coordinated Vulnerability Disclosure (CVD). This protocol is designed to ensure that security flaws are identified and remediated before they can be exploited by malicious actors, without causing undue harm to the organization or its users. However, a recent case highlighted by the security community (popularized by the “Dixken” report) reveals a disturbing trend: organizations favoring legal litigation over engineering remediation.
This is the story of how a critical vulnerability report was met with a cease-and-desist letter, and what it tells us about the current state of global security culture.
The Technical Breakdown: A Failure of Basic Authentications
The vulnerability in question was discovered in the member portal of a major diving insurer. For those of us who build and secure infrastructure, the flaws were fundamentally broken and almost trivial in nature.
1. Insecure Direct Object References (IDOR): The portal utilized incrementing numeric User IDs (e.g., 1000, 1001, 1002). This is a well-known vulnerability pattern that allows even a non-technical actor to enumerate the entire user database by simply changing an integer in the URL or the login request.
2. Static Default Passwords: Every new account was provisioned with a hardcoded, static default password. More critically, the system did not enforce a password change upon the first login.
3. Lack of Rate Limiting and MFA: Because the system lacked Multi-Factor Authentication (MFA) and basic rate-limiting (to prevent brute-force or enumeration), an attacker could automate the login process across millions of IDs, testing the default password with zero resistance.
As engineers, we recognize these as “Day 1” security mistakes. They represent a complete failure of the Security by Design principles that should be foundational for any platform handling sensitive user data, particularly when that data includes the personal information of minors.
The Disclosure Pipeline vs. The Legal Wall
The researcher followed the established industry standards. Prior to contacting the organization, they involved the national CSIRT (Computer Security Incident Response Team). This is a critical step that we often recommend, as it creates an official, government-backed record of the disclosure and provides a layer of protection for the researcher.
The response from the organization’s legal representation was a textbook example of what we call the “Chilling Effect”. Instead of an engineering post-mortem or a gratitude-based remediation plan, the researcher received a letter alleging criminal offenses under local Computer Misuse acts.
This reaction stems from a misunderstanding of security research. Organizations often perceive a vulnerability report as a hostile act or an attempt at extortion, rather than a gift of intelligence that could prevent a catastrophic data breach. By threatening the researcher with litigation, the organization chose to prioritize reputation management over the safety of its users’ data.
The Fallacy of User Responsibility
A particularly glaring aspect of the organization’s defense was the attempt to shift blame onto the users. Their legal team argued that it was the responsibility of the users to change their default passwords.
From an engineering and compliance perspective (especially under GDPR), this argument is dead on arrival. Under Article 24 of the GDPR, the data controller is responsible for implementing appropriate technical and organizational measures to ensure security. Deploying a system with incrementing IDs and static passwords is not an “appropriate measure.” It is a structural failure of host-side security.
As practitioners, we must realize that Security is a Host-Side Accountability. We cannot expect the average user to mitigate poor architecture. Our systems must be “Secure by Default.”
NIS2 and the Shift toward Protected Disclosure
We are currently seeing a global shift in the legal landscape regarding vulnerability research. The European Union’s NIS2 Directive specifically encourages Member States to establish frameworks for coordinated vulnerability disclosure. The goal is to provide a “safe harbor” for researchers acting in good faith.
When organizations respond with legal threats, they are not only acting against the spirit of modern security; they are increasingly acting against emerging regulatory standards. Transparency is becoming a requirement, not a choice. Under GDPR Articles 33 and 34, a breach resulting from such trivial vulnerabilities—especially when it involves sensitive data of minors—requires mandatory notification to both the supervisory authority and the affected individuals.
What We Must Learn as Engineers
This case serves as a critical case study for any organization building digital platforms in the 2026 landscape. We believe there are three primary takeaways for engineering leadership:
1. Vulnerabilities are Inevitable; Responses are Choices: Your reputation is determined not by the bug found in your code, but by how you treat the person who found it. An engineer-led response builds trust; a lawyer-led response destroys it.
2. Adopt a Public CVD Policy: Every organization should have a clear `security.txt` file and a publicized vulnerability disclosure policy. This provides a clear, safe path for researchers and sets the ground rules for both parties.
3. Grounding in Technical Reality: Legal departments must be briefed by the security team before responding to reports. Understanding the technical severity and the good-faith nature of a report can prevent a PR disaster and a “Chilling Effect” within the community.
Advice for Researchers
For our colleagues in the research community, the lessons are equally clear:
- Involve the CSIRT early. Never report a vulnerability without a third-party witness or mediator.
- Document the timeline. Keep every email, every header, and every log of your interactions.
- Refuse the “NDA trap.” You may (and should) agree to delete sensitive data, but avoid signing blanket Non-Disclosure Agreements that prevent you from discussing the process of your research and the organization’s response.
Conclusion: The Era of Collaborative Security
The incident involving the diving insurer’s portal is a reminder that the battle for a secure internet is as much about culture as it is about code. As we move toward more autonomous and complex systems, the need for a collaborative relationship between organizations and the research community has never been higher.
We must move past the fear of “reputational damage” and embrace the reality of the threat landscape. A reported bug is a fixed bug. A threatened researcher is a missed opportunity for a more secure future for everyone.
Let us build systems that are robust enough to withstand research and a culture that is mature enough to reward it.
Related: AI Security Vulnerability 2026: 5 DevOps Threats.
Related: 5 Common Internet Security Threats.
Discover more from Susiloharjo
Subscribe to get the latest posts sent to your email.